Re: SUDO

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jun 29, 2009 at 10:16 AM, Mertens, Bram <mertensb@xxxxxxxxxxxx>wrote:

> I'd like to elaborate on this a bit.
>
> The intention of sudo is to allow specific users to execute specific
> commands while keeping the root account locked down.  In addition sudo
> provides a trace of which user executed which command in /var/log/secure
> that can be used for auditing.
>
> The sudoers file should allow as little as possible to as few users as
> possible!
>
> If you allow users to execute sudo su - with or without having to enter
> the root password you gain nothing.  While working as root no actions
> are logged and all log files can be edited to remove any trace of
> "illegal" actions.
>
> The same applies for sudo bash, this will grant the user full shell
> access without logging.
>
> Another example is sudo vi(m): from within vi the user can execute any
> command without any kind of logging.
>
> As for reading the log files: have a look at ACLs, configuring that
> allows you to grant read access to log files to a specific user or group
> of users.
>
> Kind regards
>
> Bram
>
> >
>
>
> Mazda Motor Logistics Europe NV, Blaasveldstraat 162, B-2830 Willebroek
> VAT BE 0406.024.281, RPR Mechelen, ING  310-0092504-52, IBAN : BE64 3100
> 0925 0452, SWIFT : BBRUBEBB
>
> -----Original Message-----
> > From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-
> > bounces@xxxxxxxxxx] On Behalf Of Marti, Rob
> > Sent: maandag 22 juni 2009 21:01
> > To: General Red Hat Linux discussion list
> > Subject: RE: SUDO
> >
> > IME it may be a "real pain" to sudo view every log, but for any time
> > you need accountability, you should either sudo view all logs, or
> > change who owns log files (IE create a log group and give group read
> > access to them).  Once you switch to root there's no "reliable"
> logging
> > of whats going on.
> >
> > Allowing sudo su - (implied root) is a bad idea, imo.
> >
> > Rob Marti
> > ________________________________________
> > From: redhat-list-bounces@xxxxxxxxxx [redhat-list-bounces@xxxxxxxxxx]
> > On Behalf Of mark [m.roth2006@xxxxxxx]
> > Sent: Monday, June 22, 2009 13:27
> > To: General Red Hat Linux discussion list
> > Subject: Re: SUDO
> >
> > Hike wrote:
> > > Why?
> > >
> > > If the user knows the root password, there is no need.
> >
> > Ok, let me explain further. We're not talking home systems, we're
> > talking
> > corporate. And no, *not* everyone knows the root password. In fact,
> > using sudo
> > su - means they do not have to know it.
> > >
> > > If sudo is cofigured correctly, there is no need to "su - root"
> since
> > > the user can already run the needed commands.
> >
> > That depends. Some users - presumably admins - can be configured to
> > allowed to
> > run only certain commands. Others may need less limited use, and it
> can
> > be a
> > lot easier if they can get to root; for example, when I'm going to
> look
> > at
> > logs, and only root can read them, or even look in some directories
> > under
> > /var/log, it's a *real* pain to sudo view every single log.
> > >
> > > "man sodu" should explain how to configure sudo and the locatio of
> > the
> > > configuration file.
> > >
> > > Did you stop to think that you might not be permitted to do this
> with
> > > sudo or that the "sudo su - root" may need to be defined in the
> > > configuatio file or that the entire su command mat need to be
> quoted,
> > > etc. So that sudo would understsnd?
> >
> > The original poster did say they thought they'd configured it
> > correctly,
> > implying - this may not be the case - that they did have access to do
> > this.
> >
> >         mark
> > >
> > > On Jun 22, 2009, at 1:27 PM, Matias Nicolas
> > <matiasnicolas@xxxxxxxxxx>
> > > wrote:
> > >
> > >>
> > >> I know that sudo is for running commands with root privileges but
> > this
> > >> idea is about typing "sudo su -" and use one's password and not
> > root's.
> > >>
> > >>
> > >>
> > >> That's all...
> > >>
> > >>> Date: Mon, 22 Jun 2009 12:14:41 -0500
> > >>> From: m.roth2006@xxxxxxx
> > >>> To: redhat-list@xxxxxxxxxx
> > >>> Subject: Re: SUDO
> > >>>
> > >>> Hike wrote:
> > >>>> If you have the root password, try the following.
> > >>>>
> > >>>> $ su - root
> > >>>>
> > >>>> When prompted, enter the root password.
> > >>>>
> > >>>> sudo is to permit regular users to run priviledged commands. What
> > you
> > >>>> are trying td is overly complex and redundant.
> > >>>>
> > >>> Not necessarily. A lot of places want more security, and locking
> > down
> > >>> root.
> > >>>
> > >>> mark
> > >>>
> > >>> --
> > >>> redhat-list mailing list
> > >>> unsubscribe mailto:redhat-list-
> > request@xxxxxxxxxx?subject=unsubscribe
> > >>> https://www.redhat.com/mailman/listinfo/redhat-list
> > >>
> > >> _________________________________________________________________
> > >> Show them the way! Add maps and directions to your party invites.
> > >> http://www.microsoft.com/windows/windowslive/products/events.aspx--
> > >> redhat-list mailing list
> > >> unsubscribe mailto:redhat-list-
> > request@xxxxxxxxxx?subject=unsubscribe
> > >> https://www.redhat.com/mailman/listinfo/redhat-list
> > >
> >
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>


the op wants to hack the system and gain resources he has no authorization
for.
-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux